new(docker): introduce a new development docker image

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

.circleci/config.yml

@@ -3,48 +3,46 @@ jobs:
   "build-arm64":
     machine:
       enabled: true
-      image: ubuntu-2204:2022.10.2
+      image: ubuntu-2004:202101-01
     resource_class: arm.medium
     steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path to the source code
       - checkout:
           path: /tmp/source-arm64/falco
-
-      # Build the skeleton
       - run:
-          name: Build modern BPF skeleton 🐝
+          name: Prepare project
           command: |
-            mkdir -p /tmp/source-arm64/falco/skeleton-build
-            cd /tmp/source-arm64/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
+            mkdir -p /tmp/build-arm64 && mkdir -p /tmp/build-arm64/release && \
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              cmake
       - run:
-          name: Build Falco packages 🏗️
+          name: Build
           command: |
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source-arm64/falco/docker/builder/centos7-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build-arm64/release /tmp/source-arm64/falco
-
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              all
+      - run:
+          name: Run unit tests
+          command: |
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              tests
+      - run:
+          name: Build packages
+          command: |
+            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
+              falcosecurity/falco-builder:latest \
+              package
+      - run:
+          name: Prepare Artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /tmp/build-arm64/release/*.deb /tmp/packages
+            cp /tmp/build-arm64/release/*.tar.gz /tmp/packages
+            cp /tmp/build-arm64/release/*.rpm /tmp/packages
       - store_artifacts:
           path: /tmp/packages
           destination: /packages
-
       - persist_to_workspace:
           root: /tmp
           paths:
@@ -69,7 +67,7 @@ jobs:
           command: |
             mkdir -p /build-static/release
             cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_LIBELF=Off -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
       - run:
           name: Build
           command: |
@@ -98,56 +96,43 @@ jobs:
           paths:
             - build-static/release
             - source-static
+  # Build using our own builder base image using centos 7
   # This build is static, dependencies are bundled in the Falco binary
   "build-centos7":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
     steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path for the source code
       - checkout:
-          path: /tmp/source/falco
-
+          path: /source/falco
       - run:
-          name: Build modern BPF skeleton 🐝
-          command: |
-            mkdir -p /tmp/source/falco/skeleton-build
-            cd /tmp/source/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
       - run:
-          name: Build Falco packages 🏗️
-          command: |
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source/falco/docker/builder/centos7-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build/release /tmp/source/falco
-
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-
+          name: Build
+          command: /usr/bin/entrypoint all
+      - run:
+          name: Run unit tests
+          command: /usr/bin/entrypoint tests
+      - run:
+          name: Build packages
+          command: /usr/bin/entrypoint package
       - persist_to_workspace:
-          root: /tmp
+          root: /
           paths:
             - build/release
             - source
-
+      - run:
+          name: Prepare artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /build/release/*.deb /tmp/packages
+            cp /build/release/*.tar.gz /tmp/packages
+            cp /build/release/*.rpm /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
   # Execute integration tests based on the build results coming from the "build-centos7" job
   "tests-integration":
     docker:
@@ -162,12 +147,9 @@ jobs:
           at: /
       - run:
           name: Execute integration tests
-          command: |
-            /usr/bin/entrypoint test
+          command: /usr/bin/entrypoint test
       - store_test_results:
           path: /build/release/integration-tests-xunit
-
-  # Execute integration tests based on the build results coming from the "build-musl" job
   "tests-integration-static":
     docker:
       - image: falcosecurity/falco-tester:latest

.github/workflows/ci.yml

@@ -167,48 +167,4 @@ jobs:
         run: /usr/bin/entrypoint tests
 
       - name: Build packages
-        run: /usr/bin/entrypoint package
-
-# Before merging the PR we must remove this, right now we keep it just to have packages also from there
-  build-modern-bpf-packages:
-    runs-on: ubuntu-22.04
-    steps:
-
-      - name: Install deps ⛓️
-        run: |
-          sudo apt update
-          sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libtool libelf-dev
-
-      - name: Checkout Falco 🦅
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      # Build the modern BPF skeleton
-      - name: Build modern BPF skeleton 🐝
-        run: |
-          mkdir -p skeleton-build
-          cd skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-          make ProbeSkeleton
-
-      - name: Build the artifact from the docker image 🏗️
-        run: |
-          DOCKER_BUILDKIT=1 docker build -f ./docker/builder/centos7-builder.Dockerfile --output type=local,dest=export-artifacts --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" .
-
-      - name: Upload deb ⏫
-        uses: actions/upload-artifact@v3
-        with:
-          name: falco.deb
-          path: ./export-artifacts/packages/falco-*.deb
-
-      - name: Upload rpm ⏫
-        uses: actions/upload-artifact@v3
-        with:
-          name: falco.rpm
-          path: ./export-artifacts/packages/falco-*.rpm
-
-      - name: Upload tar.gz ⏫
-        uses: actions/upload-artifact@v3
-        with:
-          name: falco.tar.gz
-          path: ./export-artifacts/packages/falco-*.tar.gz
+        run: /usr/bin/entrypoint package

CMakeLists.txt

@@ -233,3 +233,5 @@ endif()
 
 # Packages configuration
 include(CPackConfig)
+
+add_subdirectory(docker/dev)

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,10 +1,13 @@
-if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
+if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+endif()
+
+if(CPACK_GENERATOR MATCHES "RPM")
+	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "43579a38cd35f1c0d2c0550c29fdbf11fb193b27")
-    set(DRIVER_CHECKSUM "SHA256=36f0aff6e456b76c869e77e034b6bd4a358b78e66ef47c3bfc1c8e9bd27d2671")
+    set(DRIVER_VERSION "3.0.1+driver")
+    set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -19,7 +19,7 @@ message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
-  URL "https://github.com/Andreagit97/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
   URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "43579a38cd35f1c0d2c0550c29fdbf11fb193b27")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=36f0aff6e456b76c869e77e034b6bd4a358b78e66ef47c3bfc1c8e9bd27d2671")
+    set(FALCOSECURITY_LIBS_VERSION "0.9.0")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

docker/README.md

@@ -13,5 +13,6 @@ This directory contains various ways to package Falco as a container and related
 | [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
 | [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+| _not to be published_ | docker/dev | Built on-the-fly to test local Falco development. |
 
-> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+> Note: `falco-builder`, `falco-tester`, `docker/local`, `docker/dev` images are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

docker/builder/centos7-builder.Dockerfile

@@ -1,41 +0,0 @@
-FROM centos:7 AS build-stage
-
-# To build Falco you need to pass the cmake option
-ARG CMAKE_OPTIONS=""
-ARG MAKE_JOBS=4
-
-# Install all the dependencies
-WORKDIR /
-
-RUN yum -y install centos-release-scl; \
-    yum -y install devtoolset-8-gcc devtoolset-8-gcc-c++; \
-    source scl_source enable devtoolset-8; \
-    yum install -y git wget make m4 rpm-build
-
-# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase
-RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \
-    gzip -d /tmp/cmake.tar.gz; \
-    tar -xpf /tmp/cmake.tar --directory=/tmp; \
-    cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \
-    rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
-
-# Copy Falco folder from the build context
-COPY . /source
-WORKDIR /build/release
-
-# We need `make tests` and `make all` for integration tests.
-RUN source scl_source enable devtoolset-8; \
-    cmake ${CMAKE_OPTIONS} /source; \
-    make falco -j${MAKE_JOBS}; \
-    make package; \
-    make tests -j${MAKE_JOBS}; \
-    make all -j${MAKE_JOBS}
-
-FROM scratch AS export-stage
-
-ARG DEST_BUILD_DIR="/build"
-
-COPY --from=build-stage /build/release/falco-*.tar.gz /packages/
-COPY --from=build-stage /build/release/falco-*.deb /packages/
-COPY --from=build-stage /build/release/falco-*.rpm /packages/
-COPY --from=build-stage /build/release/ ${DEST_BUILD_DIR}

docker/dev/CMakeLists.txt

@@ -0,0 +1,20 @@
+# Build a docker container for local development
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+  set(DEV_DOCKER_CXT ${CMAKE_BINARY_DIR}/docker/dev-docker-ctx)
+
+  # This target prepares the `tar.gz` artifact that will be passed to the dockerfile.
+  add_custom_target(dev-docker-prepare
+    COMMAND mkdir -p ${DEV_DOCKER_CXT}
+    COMMAND "${CMAKE_COMMAND}" --build . --target package
+    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_BINARY_DIR}/falco-${FALCO_VERSION}-${FALCO_TARGET_ARCH}.tar.gz ${DEV_DOCKER_CXT}/falco.tar.gz
+    DEPENDS falco
+  )
+
+  add_custom_target(dev-docker
+    COMMAND docker build
+      --tag falco-nodriver-dev
+      -f ${CMAKE_SOURCE_DIR}/docker/dev/nodriver.Dockerfile
+      ${DEV_DOCKER_CXT}
+    DEPENDS dev-docker-prepare
+  )
+endif()

docker/dev/README.md

@@ -0,0 +1,59 @@
+# Falco development image
+
+This docker image can be easily generated starting from a clean Falco build.
+
+## 1. Clone the Falco repo ⬇️
+
+```bash
+git clone https://github.com/falcosecurity/falco.git
+```
+
+## 2. Prepare the build directory 🏗️
+
+### `falco-runner-image` tag
+
+The CMake command that we will see in the next section builds Falco locally on your machine, and push it into a docker image, so as you may imagine the final image that will run Falco must have a similar `GLIBC` version to your local one. For this reason, you have to use docker tags.
+
+The `nodriver.Dockerfile` will use the `falco-runner-image` tag to build the final image as you can see here:
+
+```dockerfile
+FROM falco-runner-image AS runner
+
+...
+```
+
+For example, if I build Falco locally on a un `ubuntu:22-04` machine I will instruct docker to use `ubuntu:22-04` as a final running image.
+
+```bash
+docker tag ubuntu:22.04 falco-runner-image
+```
+
+In this way the `nodriver.Dockerfile` will use `ubuntu:22-04` during the building phase.
+
+### Cmake command
+
+Now that we set the `falco-runner-image` tag, we are ready to build our Falco image. Starting from the project root:
+
+```bash
+mkdir build && cd build
+cmake -DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco ..
+make dev-docker
+```
+> __Please note__: These cmake options `-DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco` are the required ones but you can provide additional options to build the image according to your needs (for example you can pass `-DMINIMAL_BUILD=On` if you want a minimal build image or `-DBUILD_FALCO_MODERN_BPF=ON` if you want to include the modern bpf probe inside the image)
+
+## 3. Run the docker image locally 🏎️
+
+```bash
+docker run --rm -i -t \
+           --privileged \
+           -v /var/run/docker.sock:/host/var/run/docker.sock \
+           -v /dev:/host/dev \
+           -v /proc:/host/proc:ro \
+           falco-nodriver-dev
+```
+
+If you change something in the Falco source code you can simply rebuild the image with:
+
+```bash
+make dev-docker
+```

docker/dev/nodriver.Dockerfile

@@ -16,11 +16,18 @@ RUN mkdir falco; \
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new; \
     mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
-FROM debian:11-slim
+# Please note: it could be necessary to change this base image according
+# to the `glibc` version of the machine where you build the tar.gz package
+# use `docker tag ubuntu:22.04 falco-runner-image` for example
+FROM falco-runner-image AS runner
+
+LABEL name="falcosecurity/falco-nodriver-dev"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL usage="docker run -it --rm --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 
 COPY --from=builder /falco /
 
 ENV HOST_ROOT /host
 ENV HOME /root
 
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true", "--modern-bpf"]
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -15,7 +15,7 @@ RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
     https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
     fi;
 
-RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0

scripts/CMakeLists.txt

@@ -15,28 +15,26 @@
 # limitations under the License.
 #
 
-# Systemd
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-
-# Debian
 configure_file(debian/postinst.in debian/postinst)
 configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
-# Rpm
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")

scripts/debian/falco.service

@@ -1,14 +1,14 @@
 [Unit]
-Description=Falco: Container Native Runtime Security with plugin
+Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
-Conflicts=falco-kmod.service
-Conflicts=falco-bpf.service
-Conflicts=falco-modern-bpf.service
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
-User=%u
+User=root
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,9 +18,9 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
 
 [Install]
 WantedBy=multi-user.target

scripts/debian/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

scripts/debian/postinst.in

@@ -17,65 +17,58 @@
 #
 set -e
 
-chosen_driver=
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@DRIVER_VERSION@"
+NAME="@PACKAGE_NAME@"
 
-if [ "$1" = "configure" ]; then
-        if [ -x /usr/bin/dialog ]; then
-          # If dialog is installed, create a dialog to let users choose the correct driver for them
-          CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
-                1 "Don't start" \
-                2 "Kmod" \
-                3 "eBPF" \
-                4 "Modern eBPF" \
-                5 "Plugin" \
-                2>&1 >/dev/tty)
-            clear
-            case $CHOICE in
-                2)
-                    chosen_driver="kmod"
-                    ;;
-                3)
-                    chosen_driver="bpf"
-                    ;;
-                4)
-                    chosen_driver="modern-bpf"
-                    ;;
-                5)
-                    chosen_driver="plugin"
-                    ;;
-            esac
-        fi
-fi
+postinst_found=0
 
-# If needed, try to load/compile the driver through falco-driver-loader
-case "$chosen_driver" in
-    "kmod")
-      echo "[POST-INSTALL] Call 'falco-driver-loader module':"
-      falco-driver-loader module
-      ;;
-    "bpf")
-      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
-      falco-driver-loader bpf
-      ;;
+case "$1" in
+	configure)
+		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
+			if [ -f $DKMS_POSTINST ]; then
+				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
+				postinst_found=1
+				break
+			fi
+		done
+		if [ "$postinst_found" -eq 0 ]; then
+			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
+			echo "built with legacy DKMS support."
+			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
+			echo "support or upgrade DKMS to a more current version."
+			exit 1
+		fi
+	;;
 esac
 
+# Based off what debhelper dh_systemd_enable/13.3.4 would have added
+# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
+
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -n "$chosen_driver" ]; then
-            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
-            systemctl --system enable "falco-$chosen_driver.service" || true
-            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
-            systemctl --system start "falco-$chosen_driver.service" || true
+        # This will only remove masks created by d-s-h on package removal.
+        deb-systemd-helper unmask 'falco.service' >/dev/null || true
+
+        # was-enabled defaults to true, so new installations run enable.
+        if deb-systemd-helper --quiet was-enabled 'falco.service'; then
+                # Enables the unit on first installation, creates new
+                # symlinks on upgrades if the unit file has changed.
+                deb-systemd-helper enable 'falco.service' >/dev/null || true
+        else
+                # Update the statefile to add new symlinks (if any), which need to be
+                # cleaned up on purge. Also remove old symlinks.
+                deb-systemd-helper update-state 'falco.service' >/dev/null || true
         fi
 fi
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-    if [ -d /run/systemd/system ]; then
-      echo "[POST-INSTALL] Trigger deamon-reload:"
-      systemctl --system daemon-reload || true
-      if [ -n "$chosen_driver" ]; then
-        echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:"
-        # restart falco on upgrade if service is already running
-        systemctl --system condrestart "falco-$chosen_driver.service" || true
-      fi
-    fi
+        if [ -d /run/systemd/system ]; then
+                systemctl --system daemon-reload >/dev/null || true
+                if [ -n "$2" ]; then
+                        _dh_action=restart
+                else
+                        _dh_action=start
+                fi
+                deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true
+        fi
 fi

scripts/debian/postrm.in

@@ -22,11 +22,18 @@
 set -e
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        echo "[POST-REMOVE] Disable all Falco services:"
-        systemctl --system disable 'falco-kmod.service' || true
-        systemctl --system disable 'falco-bpf.service' || true
-        systemctl --system disable 'falco-modern-bpf.service' || true
-        systemctl --system disable 'falco-plugin.service' || true
-        echo "[POST-REMOVE] Trigger deamon-reload:"
-        systemctl --system daemon-reload || true
+        systemctl --system daemon-reload >/dev/null || true
+fi
+
+if [ "$1" = "remove" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper mask 'falco.service' >/dev/null || true
+        fi
+fi
+
+if [ "$1" = "purge" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper purge 'falco.service' >/dev/null || true
+                deb-systemd-helper unmask 'falco.service' >/dev/null || true
+        fi
 fi

scripts/debian/prerm.in

@@ -22,18 +22,11 @@ set -e
 # Currently running falco service uses the driver, so stop it before driver cleanup
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        echo "[PRE-REMOVE] Stop all Falco services:"
-        systemctl --system stop 'falco-kmod.service' || true
-        systemctl --system stop 'falco-bpf.service' || true
-        systemctl --system stop 'falco-modern-bpf.service' || true
-        systemctl --system stop 'falco-plugin.service' || true
-        # this should be stopped after 'falco-kmod.service'
-        systemctl --system stop 'falco-kmod-inject.service' || true
+        deb-systemd-invoke stop 'falco.service' >/dev/null || true
 fi
 
 case "$1" in
 	remove|upgrade|deconfigure)
-                echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
-		falco-driver-loader --clean
+		/usr/bin/falco-driver-loader --clean
 	;;
 esac

scripts/falco-driver-loader

@@ -114,7 +114,8 @@ get_target_id() {
 		# Older CentOS distros
 		OS_ID=centos
 	else
-		return 1
+		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
+		exit 1
 	fi
 
 	# Overwrite the OS_ID if /etc/VERSION file is present.
@@ -163,7 +164,6 @@ get_target_id() {
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
-	return 0
 }
 
 flatcar_relocate_tools() {
@@ -211,13 +211,7 @@ load_kernel_module_compile() {
 	fi
 
 	# Try to compile using all the available gcc versions
-	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
-		# Filter away gcc-{ar,nm,...}
-		# Only gcc compiler has `-print-search-dirs` option.
-		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
-		if [ "$?" -ne "0" ]; then
-			continue
-		fi
+	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
@@ -238,19 +232,14 @@ load_kernel_module_compile() {
 				return
 			fi
 			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying to modprobe"
-			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
-			if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found in dkms and loaded"
-				exit 0
-			fi
-			echo "* Unable to load ${DRIVER_NAME} module"
 			echo "* Trying insmod"
+			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
 			if insmod "$KO_FILE" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found in dkms and inserted"
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
+			else
+				echo "* Unable to insmod ${DRIVER_NAME} module"
 			fi
-			echo "* Unable to insmod ${DRIVER_NAME} module"
 		else
 			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
 			if [ -f "${DKMS_LOG}" ]; then
@@ -264,6 +253,8 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
+	get_target_id
+
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
@@ -271,19 +262,12 @@ load_kernel_module_download() {
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/
-		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko
-		depmod ${KERNEL_RELEASE}
-		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-			echo "* Success: ${DRIVER_NAME} module found and loaded"
-			exit 0
-		fi
-		>&2 echo "Unable to load the prebuilt ${DRIVER_NAME} module"
 		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
 			echo "* Success: ${DRIVER_NAME} module found and inserted"
 			exit 0
-		fi
-		>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
+		else
+			>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
+		fi	
 	else
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
 		return
@@ -390,6 +374,8 @@ load_kernel_module() {
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
+	get_target_id
+
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
 	print_filename_components
@@ -397,13 +383,6 @@ load_kernel_module() {
 	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
 		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/ || true
-		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko || true
-		depmod ${KERNEL_RELEASE}
-		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-			echo "* Success: ${DRIVER_NAME} module found and loaded"
-			exit 0
-		fi
 		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	fi
@@ -422,7 +401,7 @@ load_kernel_module() {
 	# Last try (might load a previous driver version)
 	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
 	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-		echo "* Success: ${DRIVER_NAME} module found and loaded"
+		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
 		exit 0
 	fi
 
@@ -565,6 +544,8 @@ load_bpf_probe() {
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
+	get_target_id
+
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
 	print_filename_components
@@ -657,8 +638,6 @@ DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
-TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
-
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -732,18 +711,6 @@ if [ -z "$source_only" ]; then
 		exit 1
 	fi
 
-	get_target_id
-	res=$?
-	if [ $res != 0 ]; then
-		if [ -n "$ENABLE_COMPILE" ]; then
-			ENABLE_DOWNLOAD=
-			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
-		else
-			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
-			exit 1
-		fi
-	fi
-
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"

scripts/rpm/falco.service

@@ -1,15 +1,14 @@
 [Unit]
-Description=Falco: Container Native Runtime Security with ebpf
+Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
-Conflicts=falco-kmod.service
-Conflicts=falco-modern-bpf.service
-Conflicts=falco-plugin.service
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-Environment=FALCO_BPF_PROBE=
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -19,6 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/rpm/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

scripts/rpm/postinstall.in

@@ -16,48 +16,21 @@
 #
 set -e
 
-chosen_driver=
-
-if [ $1 -eq 1 ]; then
-        if [ -x /usr/bin/dialog ]; then
-            # If dialog is installed, create a dialog to let users choose the correct driver for them
-            CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
-                    1 "Don't start" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
-                    5 "Plugin" \
-                    2>&1 >/dev/tty)
-                clear
-                case $CHOICE in
-                    2)
-                        chosen_driver="kmod"
-                        ;;
-                    3)
-                        chosen_driver="bpf"
-                        ;;
-                    4)
-                        chosen_driver="modern-bpf"
-                        ;;
-                    5)
-                        chosen_driver="plugin"
-                        ;;
-                esac
-        fi
+mod_version="@DRIVER_VERSION@"
+dkms add -m falco -v $mod_version --rpm_safe_upgrade
+if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
+	dkms build -m falco -v $mod_version
+	dkms install --force -m falco -v $mod_version
+elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since you"
+	echo -e "are running a BOOT variant of the kernel."
+else
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since the"
+	echo -e "kernel source for this kernel does not seem to be installed."
 fi
 
-# If needed, try to load/compile the driver through falco-driver-loader
-case "$chosen_driver" in
-    "kmod")
-      echo "[POST-INSTALL] Call 'falco-driver-loader module':"
-      falco-driver-loader module
-      ;;
-    "bpf")
-      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
-      falco-driver-loader bpf
-      ;;
-esac
-
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
 #                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
@@ -65,27 +38,27 @@ esac
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post "falco-$chosen_driver.service"
+%systemd_post 'falco.service'
 
 # post install mirrored from .deb
 if [ $1 -eq 1 ]; then
-        if [ -n "$chosen_driver" ]; then
-            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
-            systemctl --system enable "falco-$chosen_driver.service" || true
-            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
-            systemctl --system start "falco-$chosen_driver.service" || true
-        fi
+        # This will only remove masks created on package removal.
+        /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true
+
+        # enable falco on installation
+        # note: DEB postinstall script checks for changed symlinks
+        /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true
+
+        # start falco on installation
+        /usr/bin/systemctl --system start 'falco.service' >/dev/null || true
 fi
 
 # post upgrade mirrored from .deb
 if [ $1 -gt 1 ]; then
     if [ -d /run/systemd/system ]; then
-        echo "[POST-INSTALL] Trigger deamon-reload:"
-        systemctl --system daemon-reload || true
-        if [ -n "$chosen_driver" ]; then
-          echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:"
-          # restart falco on upgrade if service is already running
-          systemctl --system condrestart "falco-$chosen_driver.service" || true
-        fi
+        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+
+        # restart falco on upgrade if service is already running
+        /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true
     fi
 fi

scripts/rpm/postuninstall.in

@@ -17,12 +17,17 @@
 
 set -e
 
-if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-        echo "[POST-REMOVE] Disable all Falco services:"
-        systemctl --system disable 'falco-kmod.service'|| true
-        systemctl --system disable 'falco-bpf.service' || true
-        systemctl --system disable 'falco-modern-bpf.service' || true
-        systemctl --system disable 'falco-plugin.service' || true
-        echo "[POST-REMOVE] Trigger deamon-reload:"
-        systemctl --system daemon-reload || true
+# post uninstall mirrored from .deb
+if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
+        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+        /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true
 fi
+
+# validate rpm macros by `rpm -qp --scripts <rpm>`
+# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
+#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+
+# systemd_postun_with_restart macro expands to
+# if package upgrade, not uninstall:
+#   `systemd-update-helper mark-restart-system-units <service>`
+%systemd_postun_with_restart 'falco.service'

scripts/rpm/preuninstall.in

@@ -19,17 +19,11 @@ set -e
 # pre uninstall mirrored from .deb
 # Currently running falco service uses the driver, so stop it before driver cleanup
 if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-        echo "[PRE-REMOVE] Stop all Falco services:"
-        systemctl --system stop 'falco-kmod.service' || true
-        systemctl --system stop 'falco-bpf.service' || true
-        systemctl --system stop 'falco-modern-bpf.service' || true
-        systemctl --system stop 'falco-plugin.service' || true
-        # this should be stopped after 'falco-kmod.service'
-        systemctl --system stop 'falco-kmod-inject.service' || true
+        # stop falco service before uninstall
+        /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true
 fi
 
-echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
-falco-driver-loader --clean
+/usr/bin/falco-driver-loader --clean
 
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -38,7 +32,4 @@ falco-driver-loader --clean
 # systemd_preun macro expands to
 # if preuninstall:
 #  `systemd-update-helper remove-system-units <service>`
-%systemd_preun 'falco-kmod.service'
-%systemd_preun 'falco-bpf.service'
-%systemd_preun 'falco-modern-bpf.service'
-%systemd_preun 'falco-plugin.service'
+%systemd_preun 'falco.service'

scripts/systemd/falco-kmod-inject.service

@@ -1,8 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security with kmod, inject.
-Documentation=https://falco.org/docs/
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco

scripts/systemd/falco-kmod.service

@@ -1,30 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security with kmod
-Documentation=https://falco.org/docs/
-After=falco-kmod-inject.service
-Requires=falco-kmod-inject.service
-Conflicts=falco-bpf.service
-Conflicts=falco-modern-bpf.service
-Conflicts=falco-plugin.service
-
-[Service]
-Type=simple
-User=root
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
-UMask=0077
-TimeoutSec=30
-RestartSec=15s
-Restart=on-failure
-PrivateTmp=true
-NoNewPrivileges=yes
-ProtectHome=read-only
-ProtectSystem=full
-ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
-RestrictRealtime=true
-RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target

scripts/systemd/falco-modern-bpf.service

@@ -1,26 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security with modern ebpf
-Documentation=https://falco.org/docs/
-Conflicts=falco-kmod.service
-Conflicts=falco-bpf.service
-Conflicts=falco-plugin.service
-
-[Service]
-Type=simple
-User=root
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf
-UMask=0077
-TimeoutSec=30
-RestartSec=15s
-Restart=on-failure
-PrivateTmp=true
-NoNewPrivileges=yes
-ProtectHome=read-only
-ProtectSystem=full
-ProtectKernelTunables=true
-RestrictRealtime=true
-RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target

userspace/engine/falco_engine.cpp

@@ -346,11 +346,6 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	if(source_idx == m_syscall_source_idx)
 	{
-		if(m_syscall_source == NULL)
-		{
-			m_syscall_source = find_source(m_syscall_source_idx);
-		}
-
 		source = m_syscall_source;
 	}
 	else
@@ -392,6 +387,7 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
+		m_syscall_source = find_source(m_syscall_source_idx);
 	}
 
 	return idx;

userspace/falco/configuration.h

@@ -400,8 +400,7 @@ namespace YAML {
 
 			if(node["open_params"] && !node["open_params"].IsNull())
 			{
-				string open_params = node["open_params"].as<std::string>();
-				rhs.m_open_params = trim(open_params);
+				rhs.m_open_params = node["open_params"].as<std::string>();
 			}
 
 			return true;